I don't know if there is such a system (I hardly doubt it, where your application is so specific to your needs pg + S3 + "Somewhere Else").
First you should create a middle layer to enforce authorization/authentication:
It may depend on the query requested and the nature of the workload you want to provide.
For example; do the users interact with your service in a request/response matter (and providing the credentials in the request) or the users interact in a session (providing all of the credentials and transact with the service over a period of time) ?
Secondly, you should strive to expose a uniform API to the user for interacting with your system through it. The user shouldn't know your implementation details and you should encapsulate it from him.
You may support only a limited functionality due to this abstraction and you'll have to translate the queries accordingly. (i.e. running such predicate as you mention where one data store is pg and the other data store is S3 may be non-trivial in some settings)
Another option is to consolidate your operation to a single data-store system (for instance limit yourself to pg) use its' expressive API / authorization facilities etc.
And only use other data stores (w/o combining them in such inter-queries) for limited purposes (for example, cold storage of logs).
(Best of luck!)